Introduction

Blind signing, the practice of signing cryptocurrency transactions without understanding the contents of what is being signed, has long plagued the ecosystem and been the root cause of many thefts. Even sophisticated users are vulnerable, such as Chris Larsen, chairman of Ripple, who lost $150 million in January 2024 [2]. Of the $2.2 billion stolen assets in 2024, some $500 million in thefts were directly attributable to blind signing [7]. These risky signing practices have become an unavoidable part of crypto interactions, affecting even the most sophisticated users. A decentralized Fraud Prevention Network (FPN) incentivizes security validators to identify and block fraudulent transactions before they reach the blockchain.

This article examines notable cryptocurrency hacks stemming from blind signing vulnerabilities, analyzes security systems in traditional finance that fight fraud, and demonstrates how a decentralized FPN creates an economic framework that makes security profitable while protecting users' assets.

A Long History of Previous Hacks

Blind signing vulnerabilities have enabled some of the largest cryptocurrency thefts in history, with three recent attacks highlighting how easily security measures fail when users cannot verify what they are signing.

The ByBit Attack

On February 21, 2025, North Korea’s Lazarus Group stole $1.46 billion from ByBit by exploiting Gnosis Safe, the largest multi-sig wallet provider [3, 4]. They first compromised a Gnosis developer’s laptop to harvest AWS credentials, then injected malicious JavaScript into the Safe’s web UI that was prepared to activate on only one routine transaction ByBit had scheduled. They tricked the users into approving unauthorized withdrawals while displaying their expected transactions on the UI. Two minutes after the theft, they erased their code and funneled the proceeds through hundreds of addresses; @ZachXBT later published over 920 of them on ChainAbuse to help trace the funds.

A History of Similar Attacks

Before ByBit, Lazarus targeted two other high-profile players: WazirX, a prominent Indian exchange, and Radiant Capital, a cross-chain lending protocol.

On WazirX (July 18, 2024): Hackers exploited mismatches in how Liminal (WazirX’s custody UI) displayed transactions, tricking signatories into approving a malicious Gnosis Safe withdrawal, stealing $230 million in customer funds [5].

On Radiant Capital (Oct 16, 2024): Hackers disguised themselves as a former contractor of the company, sending a trojan‐laden ZIP of their “recent projects” by Telegram to multiple developers. Once the malware was installed, they waited for Radiant’s team to initiate Gnosis Safe transactions—then silently swapped them to drain lending-pool contracts. They lay dormant for one month, and once the team went to sign a normal protocol operation, changed the payload sent to their ledgers from the correct one to a malicious version. Within three minutes of the team signing, the attackers broadcast the transactions, stole $50m in user funds and scrubbed forensic evidence of the machine’s compromise [1].

Both heists relied on Gnosis Safe multisigs and succeeded by targeting the human element: users who trust the UI and blind sign on hardware wallets. Even an 11-signer, 3-signature threshold Safe is useless if attackers can easily deceive all active signers. Rather than increasing signer counts, a more effective solution could involve introducing an additional transaction veto mechanism.

North Korea's state-backed operations present a persistent threat because they operate with impunity. On the other hand, independent hackers are subject to international litigation and can rarely enjoy their proceeds. Many successful independent hackers end up returning most of the proceeds in exchange for their freedom [8, 12].

Cryptocurrency companies continue to be targeted by North Korean linked groups. In 2024, Lazarus-linked hacks are estimated to have netted their country approximately $1.3 billion [7], representing approximately 4.3% of annual GDP [9]. For a country mostly cut off from the outside world by sanctions, cryptocurrency theft represents a significant windfall for their nation. Insider compromise remains sufficient to defeat multisignature controls. To close this gap, security layers need to not only harden their code, but stop fraudulent transactions from confirming on-chain. Each of these heists appears to exploit the difficulty of payload verification. Many indicators point to blind signing as the root cause, as the user is unable to verify their intent matches what they sign.

Traditional Finance Fraud Prevention Systems

Credit cards power close to a third of all consumer spending in the United States. These cards rely on sophisticated risk management networks that have evolved over decades. Between the card issuer and merchant is a shield activated on each transaction, protecting all parties against fraud while enabling consumers to roll back fraudulent transactions.

When a credit card is used, a defense algorithm activates, checking the transaction against the consumer’s spending history, looking through spending velocity, seasonal habits, implying their current location, and running probabilistic models on their identity. After this review, payment processors then choose to accept or reject transactions.

This system is in place because merchants and card issuers are both incentivized to prevent fraud. If a merchant accepts a fraudulent payment, they lose both their merchandise and the payment when it's charged back. If an issuer misses fraud, they bear costs from dispute resolution and often cover the losses. This incentivizes both parties to stop fraudulent transactions, as 80% of fraud losses are shared between them [10] rather than falling on consumers [6].

Bringing Active Fraud Prevention Onchain

Infrastructure providers currently lack direct economic incentives to prevent fraudulent transactions. Since there is no reason to, wallets, node providers, and validators all disclaim liability from fraud, so the consequences fall on the end user. Unlike credit card networks, where issuers and merchants share the majority of losses to fraud, transactions on public blockchains are final, without mechanisms to intervene and protect users. To fix this, automated security reviews must be embedded directly into the transaction supply chain. By rewarding security validators for preventing hacks and penalizing them for false flags, infrastructure providers are financially motivated to host and run programs to protect users in real time.

To align the incentives of users and infrastructure providers against fraud, a stake-backed, decentralized Fraud Prevention Network (FPN) will review every transaction in real time. The network will reward accurate fraud detection, penalize false flags, and block any transfer that deviates from a user’s normal patterns, stopping unauthorized transactions without slowing legitimate activity.

Transaction Review by a Decentralized Validator Network

While waiting for inclusion in the mempool, a network of security nodes analyzes the transaction for potential threats, looking for unusual destination addresses, atypical transaction amounts, malicious contract interactions and deviations from the user's standard transaction patterns.

Transactions routed through this network have independent validators with staked collateral analyze the transaction. These validators are financially motivated to identify and flag suspicious transactions, as they earn rewards for correctly identifying fraud and face slashing for false positives.

Network Overview and Operating Principles

This network employs an optimistic approval model where transactions are assumed to be legitimate unless explicitly flagged. Account Abstraction wallets allow for the programmability of wallets, per the ERC-4337 specification [11]. Once flagged, execution is blocked, pending further review. The network leverages account abstraction's programmable nature, adding programmable transaction validation, allowing user operations to be intercepted and reviewed by specialized bundlers that query the FPN before block inclusion.

To understand how this network works in practice, consider user Alice's experience. Alice uses an account abstraction wallet to interact with what she believes is a legitimate dApp, unaware it's actually a phishing site crafting a transaction to transfer all her tokens to an attacker's address. When she initiates the transaction, her signed UserOp (User Operation, the transaction format used in account abstraction wallets) is routed through the FPN for validator review rather than immediate broadcast. Within seconds, FPN validators analyze the pending operation and identify several red flags: the recipient address was created by a known threat actor, and the transaction attempts to transfer an unusually large amount of assets to a new, unverified contract. A validator immediately flags the transaction as fraudulent, and other validators independently reach the same conclusion. Once the required quorum is met, the transaction is marked as fraudulent onchain, and the network instructs the bundler not to include it in a block. Alice's transaction never reaches the chain since it was blocked.

Alice then receives a notification explaining why her transaction was blocked, with details "The destination address is flagged as a known scam address." Her funds never leave her wallet, and she pays a small fee, 1% of the amount saved. The validators who correctly flagged the transaction receive proportional payouts from this reward. The entire process completes within three seconds, a minimal delay justified by the funds saved. Should Alice believe the transaction was actually legitimate, she has a window to open a dispute by posting a bond as collateral. A decentralized review council would then examine her case and, if they determine the transaction was indeed legitimate, her bond and reward would be refunded.

Looking Forward: Incentive Alignment at Scale

This network will be wrapped in a simple interface and mostly invisible to users, abstracting away the complexity, risk models, and the entire supply chain underwriting this risk. When an FPN becomes a standard layer of the transaction supply chain, scams and thefts will become significantly harder to execute as attackers know a group of guardians with veto capabilities stands between them and users' funds.

Conclusion

Blind signing in cryptocurrency presents a security challenge: the blockchain recognizes only what users sign, regardless of their intent. This reality has led to billions in losses as sophisticated attackers exploit the gap between interfaces and intent. When frontends or personal computers are compromised, the signed transaction serves as the authoritative record of the user’s intent.

A decentralized Fraud Prevention Network doesn’t just improve security, it transforms the users’ relationship with these systems by adding a safety net to catch them. Routing transactions through security specialists with a financial stake in outcomes converts security from recurring SaaS spend for wallets into a self-sustaining ecosystem of security providers each protecting users. Had institutions like ByBit, WazirX or Radiant Capital used this network, their funds could have been saved, with malicious transactions stopped before reaching the blockchain.

The implementation of economic reward structures for security experts transforms fraud prevention from an externality to a core economic function within the blockchain ecosystem. Through the integration of a continuously operational security validation layer with financial compensation proportional to successful threat mitigation, a foundation for enhanced trust in transaction integrity is established. The proposed Fraud Prevention Network architecture would facilitate an environment where transaction execution more reliably reflects users' intents.

About the Authors

Elliot Friedman is a smart-contract engineer and founder of Kleidi, a decentralized Fraud Prevention Network. Prior to Kleidi, Elliot founded Solidity Labs, a boutique consulting firm that built leading DeFi protocols, hardened the largest organizations in crypto against the toughest threat actors, and created open source tools to help secure governance systems.

Tesvara Jiang is a sophomore at Stanford studying CS.

Works Cited

1. Bitcoin.com News. (n.d.). Radiant Capital hack: How hackers used a PDF to steal $50 million. Retrieved May 16, 2025, from https://news.bitcoin.com/radiant-capital-hack-how-hackers-used-a-pdf-to-steal-50-million/.

2. Blockworks. (n.d.). Ripple co-founder hack. Retrieved May 16, 2025, from https://blockworks.co/news/ripple-co-founder-hack.

3. Sygnia. (n.d.). Sygnia investigation: Bybit hack. Retrieved May 16, 2025, from https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/.

4. Cointelegraph. (n.d.). Lazarus Group 2024 pause & repositioning $1.4 B Bybit hack. Retrieved May 16, 2025, from https://cointelegraph.com/news/lazarus-group-2024-pause-repositioning-1-4-b-bybit-hack.

5. Unchained Crypto. (n.d.). $230 million WazirX hack potentially linked to Lazarus Group, say blockchain researchers. Retrieved May 16, 2025, from https://unchainedcrypto.com/230-million-wazirx-hack-potentially-linked-to-lazarus-group-say-blockchain-researchers.

6. NerdWallet. (n.d.). Merchants & victims of credit-card fraud. Retrieved May 16, 2025, from https://www.nerdwallet.com/article/credit-cards/merchants-victims-credit-card-fraud.

7. Chainalysis. (2025). Crypto hacking and stolen funds in 2025. Retrieved May 16, 2025, from https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2025/.

8. Wikipedia. (n.d.). Poly Network exploit. Retrieved May 16, 2025, from https://en.wikipedia.org/wiki/Poly_Network_exploit.

9. Wikipedia. (n.d.). Economy of North Korea: Size of the North Korean economy. Retrieved May 16, 2025, from https://en.wikipedia.org/wiki/Economy_of_North_Korea#Size_of_the_North_Korean_economy.

10. Federal Reserve. (2021). 2021 Interchange Fee Revenue, Covered Issuer Costs, and Covered Issuer and Merchant Fraud Losses Related to Debit Card Transactions. Retrieved May 16, 2025, from https://www.federalreserve.gov/paymentsystems/2021-Interchange-Fee.htm.

11. Ethereum Foundation. (n.d.). EIP-4337: Account Abstraction via EntryPoint Contract Specification. Retrieved May 16, 2025, from https://eips.ethereum.org/EIPS/eip-4337.

12. Bitdefender. (2023, March 16). Lending Protocol Announces Recovery of Some Funds After $200 Million Euler Crypto Heist. Retrieved May 20, 2025, from https://www.bitdefender.com/en-us/blog/hotforsecurity/lending-protocol-announces-recovery-of-some-funds-after-200-million-euler-crypto-heist